Académique Documents
Professionnel Documents
Culture Documents
[]
8VLQJ2SHQ66+
SSH, or Secure Shell, is a very handy utility. SSH is not an absolute requirement
for performing tasks in your server room, but it is one of those things that will make
your life a lot easier. With SSH, you are able to execute commands on a different
Linux machine as though you were sitting right there in front of it. Sure, you could
always walk into your server room, grab the keyboard, and start working, but
QRZDGD\VUHPRWHDGPLQLVWUDWLRQLVWKHQDPHRIWKHJDPH7KLVLVHVSHFLDOO\WUXH
LILW
V\RXUWXUQWREHRQFDOODQGDQLVVXHFRPHVXSDWWKHRIFH'HSHQGLQJRQWKH
QDWXUHRIWKHLVVXH66+PD\DOORZ\RXWR[WKHSUREOHPIURPKRPHRUHYHQRQ
\RXUVPDUWSKRQHZLWKRXWKDYLQJWRPDNHWKHWUHNDOOWKHZD\WR\RXUFRPSDQ\
V
VHUYHUURRP7KDW
VQRWDOO66+DOVRDOORZV\RXWRFRS\OHVIURPRQHPDFKLQHWR
another and set up an actual storage mount to a directory on a server, which can be
WUHDWHGRQ\RXUZRUNVWDWLRQOLNHWKHGLUHFWRU\ZHUHDORFDOSDUWRI\RXUOHV\VWHP
7KHFRQFHSWof connecting to a remote host and opening a command shell is not new,
DQG66+LVQRWWKHUVWWRGRLW2WKHUVROXWLRQVVXFKDVWHOQHWRUUORJLQKDYHH[LVWHG
for quite a while. What makes SSH desirable is that it is more secure than earlier
WHFKQRORJLHVDVFRPPXQLFDWLRQLVHQFU\SWHG7KHUHDUHWZRSURWRFROVIRU66+
protocol 1 and protocol 2. Protocol 1 should not be used under any circumstances,
DVLWLVQRORQJHUVHFXUH7UDIFVHQWEHWZHHQWZRKRVWVXWLOL]LQJSURWRFROFRXOGEH
intercepted by an attacker. We will discuss this aspect of SSH in Chapter 9, Securing
Your Network, but for now I want to make sure that you understand that you
VKRXOGQ
WXVHDQ66+FRQQHFWLRQZLWKSURWRFRO<RXVKRXOGQRWRIIHUSURWRFRO
to any of your hosts. Nowadays, protocol 2 is the default.
%\GHIDXOW66+XVHVSRUWWRFRPPXQLFDWH,IWKLVSRUWLVEORFNHGE\DUHZDOO
\RXZLOOQRWEHDEOHWRFRQQHFW7KLVLVH[WUHPHO\FRPPRQLQ:LQGRZVFHQWULF
businesses, since SSH is more common in the Linux/UNIX world. By changing
WKHFRQJXUDWLRQRIWKH66+VHUYHU\RXFDQFRQJXUHLWWROLVWHQRQDQ\SRUW\RX
OLNH:KLOHZHZRQ
WJHWLQWRKRZWRFRQJXUHWKLVMXVW\HWZH
OOGLVFXVVWKLVLQ
Chapter 9, Securing Your NetworkLW
VPHQWLRQHGKHUHEHFDXVHLW
VLPSRUWDQWWR
QRWHWKDW\RXPD\UXQLQWRDVLWXDWLRQZKHUH\RXDUHQ
WDEOHWRFRQQHFWWRDQ
SSH server, for example, when the port is either closed or has been changed
to a different one.
$OWKRXJK,PHQWLRQHGWKDWOHDUQLQJ66+LVQ
WDFWXDOO\UHTXLUHGWRSHUIRUPWDVNVRQ
a server or workstation, it is highly recommended that you spend time to learn it.
1RWRQO\GRFRPSDQLHVWKDWXWLOL]H/LQX[VHUYHUVH[SHFW\RXWRNQRZLW\RXZRQ
W
ZDQWWRPLVVRXWRQLWVDGYDQWDJHV7KDQNIXOO\DVXVHIXODV66+LVLW
VE\QRPHDQV
GLIFXOWWROHDUQ<RXFRXOGHDVLO\OHDUQWKHPRVWEDVLFIXQFWLRQDOLW\LQYHPLQXWHV
or advanced usage within a week.
[ 70 ]
Chapter 3
,QVWDOOLQJDQGFRQJXULQJ2SHQ66+
OpenSSH comes in two pieces, the client application and the server application.
,W
VOLNHO\WKDWWKHFOLHQWDSSOLFDWLRQLVLQVWDOOHGE\GHIDXOWLQ\RXUGLVWULEXWLRQ
7KHFOLHQWDOORZV\RXWRFRQQHFWWRRWKHUQRGHVYLD66+EXWKDYLQJWKHFOLHQWDORQH
GRHVQ
WDOORZRWKHUVWRFRQQHFWWR\RX,I\RXZDQWWRDFFHVVDPDFKLQHYLD66+
that machine must also have the SSH server application installed. Your chosen
GLVWULEXWLRQPD\KDYHWKHVHUYHUDSSOLFDWLRQLQVWDOOHGE\GHIDXOWEXWPRVWGRQ
W
7KLVLVGXHWRVHFXULW\XQOHVV\RXDEVROXWHO\QHHGWRKDYHDQDSSOLFDWLRQUXQQLQJ
DQGOLVWHQLQJIRUFRQQHFWLRQVLWVKRXOGEHDEVHQW7KHIHZHUDSSOLFDWLRQVWKHVPDOOHU
the attack surface someone could use against you.
In Debian, SSH server is an option during the installation process. If selected,
WKHVHUYHUDSSOLFDWLRQRI66+ZLOOEHSUHVHQWDQGZLOOVWDUWE\GHIDXOW7RFKHFN
whether the SSH server package is installed on a Debian system, execute the
following command:
aptitude search openssh-server
,IWKHVHUYLFHLVQ
WUXQQLQJ\RXFDQVWDUWLWE\H[HFXWLQJWKHIROORZLQJFRPPDQG
on Debian:
# systemctl start ssh.service
On Debian, you can check the status of the SSH service by executing the
following command:
# systemctl status ssh.service
,ILW
VUXQQLQJWKHRXWSXWVKRXOGLQFOXGHactive (running):
,I\RXUV\VWHPGRHVQ
WKDYHWKH66+VHUYHUSDFNDJHLQVWDOOHG\RXFDQLQVWDOOLWZLWK
the following command:
# apt-get install openssh-server
$IWHU\RX
YHLQVWDOOHGWKHSDFNDJHFKHFNWKHVWDWXVRIWKHVHUYLFHZLWKWKHIROORZLQJ
FRPPDQGWRVHHLILW
VHQDEOHG
systemctl status ssh.service
2WKHUZLVHLWZRQ
WVWDUWDXWRPDWLFDOO\WKHQH[WWLPH\RXERRWWKHPDFKLQH
[ 71 ]
In CentOS, you also use the systemctl command in order to check the status of the
SSH service, though the daemon is named a bit differently:
systemctl status sshd.service
After installation, ensure that the service is enabled by checking the status:
systemctl status sshd.service
If the SSH service is not in an enabled state (start on boot), execute the
following command:
# systemctl enable sshd.service
Chapter 3
As long as your username is the same on both sides, that command should ask for
\RXUSDVVZRUGDQGWKHQOHW\RXLQ,I\RXUXVHUQDPHLVGLIIHUHQWRQWKHKRVW\RX
UH
attempting to connect to, add the appropriate username to the command like this:
ssh jdoe@192.168.1.201
With SSH, you can connect to another Linux installation using any username that
exists there, as long as you know the password for it. In fact, depending on how the
GLVWULEXWLRQZDVFRQJXUHGE\WKHYHQGRU\RXPD\HYHQEHDEOHWRORJLQGLUHFWO\
as root. In CentOS, root login is enabled by default. In Debian, root login via SSH is
QRWDOORZHGXQOHVV\RX
UHXVLQJDQ56$NH\ZH
OOGLVFXVVWKLVLQChapter 9, Securing
Your Network$OWKRXJKZH
OOGLVFXVVPRUHDERXWVHFXULW\LQFOXGLQJKRZWRDOORZ
GLVDOORZXVHUVLQWKDWFKDSWHUIRUQRZLW
VLPSRUWDQWWRXQGHUVWDQGWKDWDOORZLQJ
URRWDFFHVVWRDV\VWHPYLD66+LVDYHU\EDGLGHD,KRSHWKDW\RX
OONHHSWKLV
disabled on production servers and workstations. If you wish to disable root access
now, go to the relevant section of Chapter 9, Securing Your Network, and then come
back here.
SSH also allows you to specify a host name rather than an IP address. In fact, host
QDPHVDUHWKHSUHIHUUHGPHWKRGVLQFHLW
VGLIFXOWWRPHPRUL]H,3DGGUHVVHVLI
\RXKDYHDJUHDWQXPEHURIPDFKLQHVLQ\RXUQHWZRUN66+LWVHOIGRHVQ
WUHVROYH
KRVWQDPHVLWUHOLHVRQ'16IRU that. If the DNS server on your network has an A
(address) record for the machine you wish to connect to, you should be able to use
the host name instead of the IP address:
ssh jdoe@chupacabra
,IWKHPDFKLQHGRHVQ
WKDYHD'16HQWU\LQ\RXUQHWZRUNRULI\RXKDYH
\HWWRVHWXSD'16VHUYHUGRQ
WZRUU\:H
OOGLVFXVVVHWWLQJXSRXUYHU\
own DNS (bind) server in Chapter 6, &RQJXULQJ1HWZRUN6HUYLFHV.
[ 73 ]
After a successful connection, you should have a command prompt to a shell on the
WDUJHWPDFKLQH)URPKHUH\RXFDQLQVWDOOSDFNDJHVPDQDJHXVHUVFRQJXUHWKH
QHWZRUNRUGRDQ\WKLQJHOVHWKDW\RX
GEHDEOHWRGRLI\RXZHUHDEOHWRORJLQWR
the machine in person. Your only limit is whatever permissions your user has to the
V\VWHP,ILW
VDPDFKLQHWKDWEHORQJVWR\RXRURQHWKDW\RXVHWXS\RXUVHOIDQG\RX
know the root password for, you can literally do anything you want. If the machine
belongs to someone else, you might have permission to modify your local home
IROGHURQO\(LWKHUZD\\RXVXFFHVVIXOO\FRQQHFWHGWRDPDFKLQHXVLQJ66+7KH
remaining sections of this chapter, as well as Chapter 9, Securing Your Network, will
expand on this basic knowledge.
7KH2SHQ66+FRQJOH
[]
Chapter 3
$VORQJDVZHW\SHGLWRXWFRUUHFWO\66+VKRXOGVHHWKHOHDQGDOORZXVWRXVHLW
7KHQZHFDQFUHDWHRXURZQOLVWRIKRVWVLQWKLVOHWRHDVLO\SURYLGHWKHUHTXLUHG
parameters for each, and allow easier access. Go ahead and give it a try in your lab.
[]
7KHscp utility is primarily meant for those who need a quick transfer RIDOHDVLW
LVQRWDORQJWHUPVROXWLRQIRUOHDFFHVVDQGVWRUDJH,QDVLWXDWLRQZKHUH\RXQHHG
to create a storage repository that others need to access, you would typically set up
an NFS or Samba share to accomplish the goal. However, scp is a great utility that
ZLOOSURYHYHU\XVHIXOWR\RXZKHQHYHU\RXZDQWWRVLPSO\VHQGDOHWRDQRWKHU
PDFKLQHZLWKRXWFRQJXULQJDQ\WKLQJ
7UDQVIHUULQJOHVWRDQRWKHUQRGHYLDVFS
/HW
Vgive scpDWU\$VZLWKRXUSUHYLRXV66+DFWLYLW\\RX
OOQHHGDWOHDVWWZR
machines: one with the SSH server installed and running, and another with at
OHDVWWKHFOLHQW,QWKLVFDVHWKHGLVWULEXWLRQVKRXOGQ
WPDWWHUDVORQJDV\RXPHHW
WKLVVLPSOHUHTXLUHPHQWV,QDGGLWLRQZH
OOQHHGDOHWRWHVWZLWK7KHOHFDQEH
VRPHWKLQJVPDOOVXFKDVDWH[WOHRULPDJHRUODUJHVXFKDVDQ,62OHIRUD/LQX[
GLVWULEXWLRQ7KHJRDOLVWRWUDQVIHUWKLVOHWRDQRWKHUPDFKLQHXVLQJscp/HW
VVHH
how to do this.
)RUWKHVDNHRIWKLVWXWRULDO,
OORXWOLQHWKHSURFHGXUHIRUDPDFKLQHQDPHGIRRWR
WUDQVIHUDOHWRDPDFKLQHQDPHGEDU
)LUVWOHW
VWDNHDORRNDWDVLPSOHH[DPSOHRIscp:
scp my-image.jpg 192.168.1.200:/home/jdoe/
,QWKDWH[DPSOHZH
YHH[HFXWHGWKHscpFRPPDQGDJDLQVWDOHQDPHGmy-image.
jpg. Next, we outline the target. In this case, a machine with the IP address of
192.168.1.2007KHQZHW\SHDFRORQDQGWKHSDWKZKHUHZH
GOLNHWKHOHWREH
VWRUHG,QWKLVFDVHZHDUHJRLQJWRFRS\WKHOHLQWRWKHKRPHGLUHFWRU\IRUjdoe.
Since we know the name of the target machine (bar), we could use the name of the
machine instead of the IP address, assuming that it is recognized by the DNS server.
,WZDVFRQJXUHGLQ~/.ssh/configRULVDQHQWU\RQIRR
V/etc/hostsOH7KH
command is as follows:
scp my-image.jpg bar:/home/jdoe
:HVLPSOLHGWKHFRPPDQGDELWVLQFHZHNQRZWKHQDPHRIWKHPDFKLQH
$GGLWLRQDOO\ZHGRQ
WKDYHWRW\SHRXWWKHQDPHRIWKHGLUHFWRU\LIZH
UH
LQWHQGLQJWRFRS\WRDXVHU
VKRPHGLUHFWRU\:HFRXOGKDYHVLPSOLHGWKH
command to the following:
scp my-image.jpg bar:.
[ 76 ]
Chapter 3
In the example, instead of typing out /home/jdoe, we replaced the path with a
SHULRG7KLVZRUNVEHFDXVHWKHKRPHGLUHFWRU\LVDVVXPHGXQOHVV\RXJLYHWKH
FRPPDQGDVHSDUDWHSDWK:H
GDOVRJHWWKHVDPHUHVXOWLIZHXVHGDWLOGH~) instead:
scp my-image.jpg bar:~
What if theGDWDZHZLVKWRFRS\LVDQHQWLUHGLUHFWRU\LQVWHDGRIMXVWDVLQJOHOH"
If we try to use the scp command against a directory, it will fail. In order to copy an
entire directory, we need to add the -rDJWKDWSHUIRUPVDUHFXUVLYHFRS\
scp -r my_dir bar:~
Now, the my_dir directory and its contents will be transferred over. Another useful
DJZKHQFRS\LQJOHVLV-pZKLFKSUHVHUYHVWKHPRGLFDWLRQWLPHVZKHQWKHOHLV
copied. If we combine that with the previous command, we get:
scp -rp my_dir bar:~
However, each of these commands will fail if the user name is different on the two
machines. For example, if the logged-on user on foo is dlongDQGWKHXVHUGRHVQ
W
exist on bar, the command would fail because the sending computer would default
to using dlong, the currently logged-on user. In this case, the other computer would
ask you for the password three times, and then give you a message that access is
GHQLHG7KLVLVEHFDXVH\RXZRXOGHVVHQWLDOO\EHW\SLQJDSDVVZRUGIRUDXVHUWKDW
GRHVQ
WH[LVW,IZHQHHGWRVSHFLI\WKHXVHUQDPHIRUWKHWDUJHWWKHFRPPDQGZRXOG
become similar to the following:
scp my-image.jpg jdoe@bar:~
:LWKWKHQHZYHUVLRQRIWKHFRPPDQG\RX
OOEHSURPSWHGIRUWKHjdoe password
DQGWKHQWKHOHZRXOGEHFRSLHGWR/home/jdoe on the receiving end.
As mentioned previously in this chapter, the default port for SSH (port 22) may not
be open on the target, as perhaps it is listening on a different port. With scp, we can
VSHFLI\DGLIIHUHQWSRUW7RGRVRXVHWKH-PDJ1RWHWKDWWKLVLVDQXSSHUFDVHP,
unlike the ssh command that uses a lowercase -p for specifying the port (this can be
VRPHZKDWFRQIXVLQJDWUVWZKHQVZLWFKLQJEHWZHHQssh and scp). For example, this
DJLVDSSHQGHGWRWKHSUHYLRXVFRPPDQG
scp -P 6022 my-image.jpg jdoe@bar:~
[ 77 ]
*RDKHDGDQGJLYHLWDWU\LQ\RXUODE)LQGDOHRIDQ\W\SHDQGDWWHPSWWRWUDQVIHU
it to another Linux machine. If you do this a few times, you should be able to get
the hang of it fairly quickly. Another point of interest in regards to scp is that you
FDQXVHLWWRFRS\DOHRUGLUHFWRU\IURPDUHPRWHPDFKLQHWR\RXUORFDORQHLI\RX
DOUHDG\NQRZWKHSDWKRIWKHOH\RX wish to download. In the last example of this
VHFWLRQ,
PFRS\LQJmyimage.jpg from remote host bar to my current working
directory (which I designate with a period):
scp jdoe@bar:~/myimage.jpg .
7XQQHOLQJWUDIFYLD66+
One of the most useful features of SSH is creating an SSH tunnel. An SSH tunnel
allows you to access services locally that originate from another computer or server.
7KLVDOORZV\RXWRGRVXFKWKLQJVDVE\SDVVORFDO'16OWHULQJRUHYHQDFFHVVDQ
,5&VHUYHUWKDWLVVHJUHJDWHGZLWKLQ\RXUFRPSDQ\IURPKRPH
%HYHU\FDUHIXOZKHQXWLOL]LQJ66+WXQQHOV,I\RXDUHQ
WDEOHWR
access a resource while at work, or a work resource is blocked from
being accessible from outside the network, chances are the network
administrator (if that person is not you) set it up this way for a reason.
When bypassing restrictions or accessing work resources from outside the
network, always ensure you have permission to do so.
,QRUGHUIRUDQ66+WXQQHOWREHHIIHFWLYH\RXUVWQHHGWREHDEOHWRDFFHVV66+
ZKHUHWKHVHUYLFH\RX
GOLNHWRDFFHVVLVKRVWHG,I\RX
UHDEOHWRLQLWLDWHDQRUPDO
66+FRQQHFWLRQWRDQHWZRUNFRQWDLQLQJWKHVHUYLFHFKDQFHVDUHWKDW\RX
OOKDYH
no problem creating a tunnel.
While utilizing SSH to create a tunnel, the command changes a bit. Instead of just
executing the ssh command against a host name or IP address, there are a few more
DJVDGGHG)LUVWZHDGGWKH-LDJ7KLVVHWVXSZKDWLVNQRZQDVDELQGDGGUHVV
ZKLFKEDVLFDOO\PHDQVZHDUHWDNLQJDORFDOSRUWDQGIRUZDUGLQJLWWRDVSHFLFSRUW
on the other end.
7KHV\QWD[IRUVXFKDFRPPDQGVWULQJZRXOGEHVRPHWKLQJOLNHWKLV
ssh -L <local-port>:localhost:<remote-port> <username>@10.10.10.101
[ 78 ]
Chapter 3
+HUHZH
UHIRUZDUGLQJSRUW5900 on our local machine to port 5901 on
10.10.10.101. As soon as the session connects and is established, we can then
use the following in our VNC viewing application on our local machine to connect
to the VNC service on the remote end:
localhost:5900
Anytime localhost:5900LVXVHGZH
OOEHIRUZDUGHGWRRXUUHPRWHPDFKLQH
7RHQGWKHVHVVLRQH[LWfrom the SSH connection. For VNC, we need to specify
which VNC session to use. In order to use the VNC Viewer application to open
a VNC session to 10.10.10.101, we would execute the following command:
vncviewer localhost:1
[]
In this example, jdoe has a user account on host 66.238.170.50 and wishes to
connect to host 10.10.10.60, which is inside her company network. In this example,
jdoe is forwarding local port 3388 on localhost to port 3389 on host 10.10.10.60,
but establishing the connection through host 66.238.170.50. Now, user jdoe is
able to open a remote desktop client and use the following command for the
connection address:
localhost:3388
As long as the SSH connection remains open, jdoe will then be able to utilize
a remote desktop on the server from her local computer. If the shell is closed,
then the connection will terminate.
Using SSH tunnels can be very useful. Feel free to give it a try and see which services
you can forward through your network.
[ 80 ]
Chapter 3
Generating a key pair is simple using the ssh-keygen command, which will guide
you through the process of setting up your keys. During this process, you will be
asked to create a passphrase. You could, if you wanted to, disregard this prompt
and simply press Enter to create a key without a passphrase. Doing so, however,
drastically lowers the security of that key. While it is certainly much more convenient
WRQRWKDYHWRW\SHDQ\WKLQJDWDOOZKHQFRQQHFWLQJWRDKRVWYLD66+LW
VGHQLWHO\
UHFRPPHQGHGWRXVHDSDVVSKUDVHDQGEHQHWIURPWKHDGGHGVHFXULW\
:LWKSXEOLFNH\DXWKHQWLFDWLRQWZROHVDUHFUHDWHGLQWKHXVHU
VKRPHGLUHFWRU\
OHLV\RXUSULYDWHNH\<RXVKRXOGNHHSLWORFDODQGQRWWUDQVPLWLWRUVKDUHLWLQ
DSXEOLFSODFH7KHid_rsa.pubOHLV\RXUSXEOLFNH\ZKLFK\RXFDQVDIHO\FRS\
to other hosts that you connect to. From that point forward, you will be able to use
public key authentication to connect to another host.
/HW
VVXPPDUL]HWKHHQWLUHSURFHVV)LUVWZKLOHORJJHGLQWR\RXUORFDORUPDLQ
machine, execute ssh-keygen and walk through the steps. Make sure to create a
passphrase for added security.
Next, utilize the ssh-copy-id command in order to copy your key to the remote
VHUYHU\RXZLVKWRFRQQHFWWR7KHFRPPDQGV\QWD[LVDVIROORZV
ssh-copy-id -i ~/.ssh/id_rsa.pub <remote host IP or name>
[ 81 ]
7KLVFRPPDQGZLOOFRS\\RXUSXEOLFNH\LQWRWKHauthorized_keysOHXQGHU\RXU
~/.sshIROGHURQWKHWDUJHWPDFKLQH7KLVOHVWRUHVDOOWKHNH\VWKDWWKHPDFKLQH
knows about. If you were to check before and after running through the ssh-copyidSURFHVV\RX
GQRWLFHWKDWWKHauthorized_keysOHRQWKHWDUJHWHLWKHUGLGQ
W
H[LVWRUGLGQ
WLQFOXGH\RXUNH\XQWLODIWHU\RXH[HFXWHGWKHFRPPDQG
$VPHQWLRQHGHDUOLHULWLVSRVVLEOHWRFRQJXUH\RXUFRPSXWHURUVHUYHUWRGLVDOORZ
DXWKHQWLFDWLRQYLDSDVVZRUGRQO\DOORZLQJSXEOLFNH\DXWKHQWLFDWLRQLQVWHDG7KLV
portion will be discussed further in Chapter 9, Securing Your Network)RUQRZLW
V
important to get in the habit of generating, copying, and using keys. Feel free to
create a key pair on your local machine and copy the public key to a server that
you frequently connect to.
.HHSLQJ66+FRQQHFWLRQVDOLYH
Depending RQKRZ\RXU66+VHUYHURULQWHUQDOUHZDOOVDUHFRQJXUHG\RXU66+
VHVVLRQPD\DXWRPDWLFDOO\GLVFRQQHFWDIWHUVRPHWLPH,W
VSRVVLEOHWRFRQJXUH66+
to send a special packet every certain number of seconds, to keep the connection
IURPLGOLQJDQGEHFRPLQJDFDQGLGDWHIRUGLVFRQQHFWLRQ7KLVLVXVHIXOLI\RXKDYH
DVHUYLFHWKDWXWLOL]HV66+WKDW\RXGRQRWZDQWWREHGLVFRQQHFWHG7RHPSOR\WKLV
WZHDNZHPXVWFRQJXUHWKHServerAliveInterval setting.
7KHUHDUHWZRZD\VRIFRQJXULQJWKLVRQHWKDWDIIHFWV\RXUXVHUDFFRXQWDQG
DQRWKHUWKDWZLOOGHSOR\WKHVHWWLQJV\VWHPZLGH)LUVWOHW
VH[SORUHKRZWRFRQJXUH
this for your user account.
[ 82 ]
Chapter 3
5HPHPEHUWKH~/.ssh/configOHWKDWZHFRQJXUHGHDUOLHULQWKLVFKDSWHU"2SHQLW
XSDJDLQLQ\RXUWH[WHGLWRU+HUH
VDVDPSOHRIWKLVOHIRU\RXUFRQYHQLHQFH
Host icarus
Hostname 10.10.10.76
Port 22
User jdoe
Host daedalus
Hostname 10.10.10.88
Port 65000
User duser
Host dragon
Hostname 10.10.10.99
Port 22
User jdoe
$VEHIRUHZHKDYHWKUHHV\VWHPV,IZHZLVKWRFRQJXUHDKRVWIRUH[DPSOH
icarus, to send an alive packet once every 60 seconds, we can add the following
setting to it:
Host icarus
ServerAliveInterval 60
Hostname 10.10.10.76
Port 22
User jdoe
If we wish to set the ServerAliveInterval setting for all hosts we connect to,
we could add this option as a wildcard instead by adding the following to the
WRSRIWKHOH
Host *
ServerAliveInterval 60
[ 83 ]
With this, the setting takes effect for all systems we initiate a connection to. Although
ZHKDYHQ
WGLVFXVVHGWKHP\HWWKHUHDUHWZRV\VWHPZLGHJOREDOFRQJXUDWLRQ
OHVIRU66+:H
OOGLVFXVVWKHVHOHVODWHULQWKLVERRNEXWWKHVXEMHFWRIWKLVVHFWLRQ
is an opportunity to give you a quick introduction:
/etc/ssh/ssh_config7KLVILOHZLOOLPSDFWDOOXVHUVZKRPPDNHRXWERXQG
FRQQHFWLRQV7KLQNRIWKLVDVWKHFOLHQWFRQILJXUDWLRQILOH
/etc/ssh/sshd_config7KLVLVWKHJOREDOFRQILJILOHIRUWKHVHUYHU
$Q\WKLQJ\RXFRQJXUHLQRQHRIWKHVHWZROHVZLOOLPSDFWDQ\RQH7KHssh_
configOHLPSDFWVDOORXWERXQGFRQQHFWLRQVDQGWKHsshd_config impacts all the
LQFRPLQJFRQQHFWLRQV)RUWKLVVHFWLRQWKHOHZH
UHLQWHUHVWHGLQLVWKHssh_config
OHVLQFHZHFDQVHWWKHServerAliveInterval setting for all users by including it
WKHUH,QIDFWUHJDUGOHVVRIZKHWKHUZH
UHFRQJXULQJ/etc/ssh/ssh_config or the
local ~/.ssh/configOHWKHRSWLRQLVWKHVDPH6LPSO\DGGLWWRWKHHQGRIWKHOH
ServerAliveInterval 60
2IFRXUVHZH
OOH[SORUHFRQJXULQJWKHVHRSWLRQVIXUWKHUODWHURQLQWKLVERRN
)RUQRZMXVWUHPHPEHUWKHSXUSRVHRIWKHVHWZROHVDQGZKHUHWKH\
UHORFDWHG
([SORULQJDQDOWHUQDWLYHWR66+XWLOL]LQJ
0RVKPRELOHVKHOO
While starting out with SSH, you might notice one quirk right away: if your network
FRQQHFWLRQGURSVLWFDQEHGLIFXOWWRUHJDLQFRQWURORIZKDW\RXZHUHGRLQJRQ
WKHPDFKLQH\RXZHUHFRQQHFWHGWR7KLVLVHVSHFLDOO\FRPPRQZLWKODSWRSVDV
your connection state on such a device will change depending on where you are
RUZKDWQHWZRUN\RX
UHFRQQHFWHGWR:KLOHUXQQLQJFRPPDQGVZLWKLQDWHUPLQDO
PXOWLSOH[HUVXFKDVWPX[RUVFUHHQFDQNHHS\RXUZRUNRZDOLYHHYHQDIWHU
disconnecting, there is an alternative to SSH that may work for you. Mosh (mobile
shell) is an alternative to SSH that will keep your remote session alive, even if you
disconnect from the network where the resource resides. When you reconnect to the
network, Mosh will allow you to pick up where you left off.
Installing Mosh in Debian is extremely easy. Simply install the mosh package, as it is
available from within the default repositories:
# apt-get install mosh
[]
Chapter 3
,Q&HQW260RVKLVQRWDYDLODEOHIURPWKDWGLVWULEXWLRQ
VGHIDXOWUHSRVLWRULHV
VR\RX
OOUVWQHHGWRDGGDQDGGLWLRQDOUHSRVLWRU\LQRUGHUWRPDNHLWDYDLODEOH
First, enable the EPEL repository with the following command:
# yum install epel-release
7KHQ\RXVKRXOGEHDEOHWRLQVWDOOWKHmosh package:
# yum install mosh
In order for Mosh to be effective, you will need to install it not only on your local
PDFKLQHEXWDOVRDQ\PDFKLQHV\RXZLVKWRFRQQHFWWR7KHV\QWD[LVVLPLODUWR66+
mosh jdoe@10.10.10.101
In fact, Mosh actually utilizes SSH to initiate the connection, and then the mosh
program takes over from there. After you connect, you can simulate a disconnect
by removing your network cable or disconnecting from your wireless access point.
You will notice that the next time you connect using mosh, your session should be
MXVWDV\RXOHIWLW7RVHHWKHPDJLFLQDOOLWVJORU\FRQVLGHUVWDUWLQJDSURFHVVVXFKDV
running the top command) before disconnecting.
While there are many ways to keep processes running on a remote server even when
your session is disconnected, Mosh is one of the newer and more unique solutions.
Give it a try!
Summary
In this chapter, we discussed SSH in all its glory. We started off with a discussion
RIZKDW66+LVDQGZK\LW
VXVHIXODQGWKHQZHHQVXUHGLWZDVLQVWDOOHGRQRXU
systems. Using SSH, we were able to connect to other Linux machines and execute
FRPPDQGV:HDOVRWRRNDORRNDWFRQJXULQJKRVWVLQWKH~/.ssh/configOHDQG
WUDQVIHUULQJOHVIURPRQHKRVWWRDQRWKHUXVLQJscp. In addition, SSH tunneling was
GLVFXVVHGDVZHOODVDQLQWURGXFWLRQWRSXEOLFNH\DXWKHQWLFDWLRQ:HQLVKHGWKH
chapter with a look at Mosh, which is a neat alternative to SSH.
,QWKHQH[WFKDSWHUZH
OOWDFNOHOHVKDULQJE\VHWWLQJXSRXUYHU\RZQOHVHUYHU
:H
OOVHWXSOHVKDUHVYLD6DPEDDVZHOODV1)6DVZHOODVWKHLQGLYLGXDOTXLUNVRI
each solution. See you there!
[]